Currently set to No Index

Use of DNS TXT Records to Amplify DDoS Attacks

DoS (Denial of Service) attacks cover any type of malicious interference that degrades website services. Attackers use bots to clog the data pipeline of a server, reducing the amount of bandwidth available to legitimate users. It can also flood the capacity of a server, forcing it to reset. Richard Stallman, the software freedom activist, has stated that the use of DoS constitutes ‘Internet Street Protests’, giving the impression that DoS instigators are some sort of folk heroes. Many businesses have a different perspective. DoS has been responsible for significant economic damage. A lawsuit filed by Earthlink against hacker Khan C. Smith alleges that the 1998 illegal Defcon event perpetrated billions in lost revenue. In the United States, DoS is considered a federal crime. The Computer Fraud and Abuse Act list penalties that can include prison terms lasting years.

Symptoms of DoS

Common targets of DoS are high-profile web servers, such as credit card payment gateways, banks, and even root nameservers. They have also become very common in business. In 2014, the frequency of DoS attacks reached 28 / hour. For this reason, the symptoms have become recognizable warning signs. These include:


  • Atypically slow network performance, either accessing the website or downloading files
  • Inability to access a particular website, or any website
  • Forced wireless or wired disconnects
  • Significant increase in email spam
  • Long term denial of availability of internet services

DoS Defense

Server management software can detect many types of DoS attacks. In fact, the regular release of operating system security updates targets vulnerabilities and prepares systems to recognize threats. Once a DoS attack is detected, systems can respond by blocking the source computer. It can also attempt to identify the computer and shut it down.

RELATED:   What Does Web Hosting Support Entail

Multiple Source Computers

Hackers have intensified the effect of DoS attacks by targeting specific servers with multiple source computers. Any attack that includes two or more sources is called DDoS (Distributed Denial of Service.) This greatly increases the ability of the attacker to consume resources. It also makes blocking and detecting the source of the attacks much more difficult.

The problem with DDoS is that attackers do not have to own multiple machines. They can enlist other computers by distributing Trojan viruses. This allows cybercriminals to mount a distributed attack without the consent of the source computer owners.

Amplification Attacks

DDoS attackers do not necessarily need to infect a cadre of additional source computers. Instead, they can use a spoofed attack. In this strategy, hackers send information requests to a large number of computers. These requests all have the return address of the server targeted for the attack. The large number of responses from the spoofed computers floods the server.

Many internet services can be used for this spoofing strategy. Some are very difficult to block. One of the highest bandwidth amplification factors belong to spoofs employing the DNS. Amplification factors can reach as high as 179.

A Recent DNS Flooder Tool

Akamai is a leading provider of cloud services. Akamai’s Prolexic Security Engineering and Research Team (PLXsert) has detected a new type of DDoS campaign, beginning in October 4, 2014. The amplification leverages the ability to illicit large responses from relatively small request packets. The cybercriminals implement the strategy by creating large DNS TXT (text records) to increase the magnitude of the attacks. Recent attacks have included fragments of text extracted from White House press releases.

RELATED:   Social Networking Wars – A Great Show, and an Educational One

Continued Use

PLXsert has evidence that these new types of DNS attacks continue to be employed today. Hackers continue to craft custom TXT records, directing illegitimate traffic to DNS servers and other sites. With this technique, attackers have an effective way to overwhelm the target site and prevent its ability to respond to legitimate requests.

The DNS Toolkit Particulars

The DNS Flooder Toolkit is a cybercriminal’s dream. It offers the following features:

  • Attacks are completely anonymous – the toolkit hides the IP address of the attacker.
  • The toolkit requires few resources. Amplification allows the attacker to operate with his or her own modest number of servers. This mitigates the need to hunt for vulnerable DNS servers to serve as DoS sources.
  • The toolkit is easy to use, reducing the barrier of the level of expertise required of the hacker.

As of February 11, 2015, considers the toolkit high risk. Administrators of high-profile sites should be aware of the DNS Flooder and take appropriate measures.

The Players

The primary target of crafted DNS TXT amplification is entertainment sites. These comprise 75.0% of the total number of targets. Other primary targets include education and high tech consulting websites. Specific targets include (the Internet Systems Consortium for more secure and reliable Internet use) and a number of .gov websites.

RELATED:   Leasing a Private Server - Managed and Dedicated Hosting Plans

The original 2014 attacks have been identified as coming from the domain. Dig results reveal malicious requests from continue to appear on the Internet. These requests initiate the attack by using open resolvers as intermediate targets to reflect traffic to a specified target. These attacks last a matter of days, and then begin to taper as server administrators block the requests.

DNS Reflection Mitigation

With the high frequency of DDoS attacks and the easy of launching a DNS Flooder campaign, the security community has developed several mitigation techniques. Because the Flooder uses similar tactics to other types of reflection attacks, including SNMP, SSDP, and CHARGEN, the protection providers have been able to leverage current technology.

The primary effect on the target service is the reduction of available resources due to the overall bandwidth generated. For this reason, DNS reflection attacks can be successfully defeated at the network edge. Where available bandwidth exceeds the attack volume, an access control list (ACL) offers sufficient protection. Some DNS servers may attempt to try the response again through TCP, but no transfer will initiate and the retry will fail. One of the best mitigation strategies is to use a DDoS cloud-based protection service. Akamai Technologies are one of the leading providers of such a service.

In the meantime, watchdog organizations such as PLXsert continue to monitor these types of DDoS campaigns. They will continue to protect the online community by posting future advisories and releasing updates to their protection services as needed.

How to Find a Successful Name For Your New Blog?
How to Find a Successful Name For Your New Blog?

One of the most important decisions you can make to ensure your blog is among the best is to select a name. While there are more than 500 million blogs available...

How-to Start a Blog – Review of the Best 10 Blogging Platforms
How-to Start a Blog – Review of the Best 10 Blogging Platforms

If you want to start a blog as fast as possible, then you need to consider choosing a blogging platform. Thankfully, there are some excellent free and paid blogging platforms...

How Referral Marketing Can Benefit Web Hosts
How Referral Marketing Can Benefit Web Hosts

Even if the niche of web hosts are fully loaded with a lot of companies they are still one of the easiest to promote because you could write your own...

Broken Links: How to Find, Fix, and Benefit from Broken Links
Broken Links: How to Find, Fix, and Benefit from Broken Links

Links are what holds the web together. Essentially, the web is named as such because of the ability for pages and sites to link to other sources and relevant information....

Brand Value & the Most Powerful Brands (with Infographic)
Brand Value & the Most Powerful Brands (with Infographic)

Brand value – everyone wants it, however, only few are able to achieve it. The subject of “brand value” holds a significant position amongst marketers, executives, and entrepreneurs. Let’s discuss...

Reasons why your business should shift to Cloud hosting
Reasons why your business should shift to Cloud hosting

Cloud hosting has been on the rise since its inception. The improvement to your website performance and business efficiency that comes with Cloud hosting is almost tangible.

Why We Love the IT Support Career?
Why We Love the IT Support Career?

In almost all of my posts I was talking about the stressful side of the IT – the long hours, end user issues, migrations, midnight calls and the like. But...

IT Manager: Ways To Show Your Appreciation To Your Team
IT Manager: Ways To Show Your Appreciation To Your Team

Surely your team struggled hard and made things happen. You cannot say “this is what you get paid for” and just leave – you cannot keep your IT staff that...

Leave a Reply

Your email address will not be published. Required fields are marked *